Guess I managed to follow the manual, but still no luck.

Move the 30 Line to top of 10 ( i mean the first line) - remove the ACL also as suggested from G 0/0

 (personally i make IP any any instead of TCP or UDP) - but do what comfortable.

Sp 10 will be deny

20 permit TCP

30 Permit UDP 

interface GigabitEthernet0/0/0
no ip access-group 1 in
no ip access-group 1 out

Hello, could you please take a closer look at my config again?

Recently, thanks to Mr. Paul Driver in this thread I've managed to put ACL and NAT in order, and disabled a lot of trashy entries, but still got no success with Port Forwarding.

So, in summary.

There is the internal web server 192.168.11.3, listening on 1000 port - confirmed, I can literally write 192.168.11.3:1000 on browser and see my page.

ISP does not block any port - confirmed, since my previous Rtr had no had any problems with Port Forward thing.

I've added static NAT entry: ip nat inside source static tcp 192.168.11.3 1000 92.255.***.* 80 extendable

Now from Rtr:

Telnet 192.168.11.3 1000 says Open.

Telnet 92.255.***.* 80 says.... Timeout.

I'm totally out of clue O_o

Here is recent config:

Fri May 07 2021 10:36:55 GMT+0500 (GMT+05:00)
===================================================================================
#show running-config
Building configuration...
Current configuration : 7545 bytes
!
! Last configuration change at 05:35:12 UTC Fri May 7 2021 by admin
!
version 17.2
service config
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
!
hostname ISR4331
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
logging console emergencies
enable secret 9 $9$bFGeXeOWIV7CFk$xf1pg/6wu50iZKLlgJvTBcYdUw8a.WB29z4nk/RSKXk
enable password ****
!
no aaa new-model
!
ip name-server 109.194.160.1 5.3.3.3
!
!
!
login on-success log
!
!
subscriber templating
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-108830138
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-108830138
revocation-check none
rsakeypair TP-self-signed-108830138
!
crypto pki trustpoint SLA-TrustPoint
enrollment pkcs12
revocation-check crl
!
!
license udi pid ISR4331/K9 sn FDO24370Y1Q
memory free low-watermark processor 67926
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
username admin privilege 15 password 0 ****
!
redundancy
mode none
!
!
no cdp run
!
!
!
interface GigabitEthernet0/0/0
description wan
no ip address
ip mtu 1492
ip nat outside
ip tcp adjust-mss 1452
negotiation auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface GigabitEthernet0/0/1
ip dhcp client client-id ascii JTV2443B057
ip address 192.168.11.5 255.255.255.0
ip nat inside
negotiation auto
!
interface GigabitEthernet0/0/2
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
interface Dialer1
ip address negotiated
ip nat outside
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer idle-timeout 0
dialer persistent
dialer-group 1
ppp mtu adaptive
ppp authentication chap pap callin
ppp chap hostname v1830552
ppp chap password 0 ****
ppp pap sent-username v1830552 password 0 ****
ppp ipcp dns request
ip virtual-reassembly
!
ip forward-protocol nd
ip http server
ip http port 10500
ip http authentication local
ip http secure-server
ip http secure-port 11000
ip http client source-interface GigabitEthernet0/0/1
ip nat inside source static tcp 192.168.11.3 1000 92.255.***.* 80 extendable
ip nat inside source list 1 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
ip access-list standard 1
5 deny 192.168.11.3
10 permit 192.168.11.0 0.0.0.255
20 permit 192.168.0.0 0.0.255.255
dialer-list 1 protocol ip permit
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password ****
login
length 0
transport input ssh
!
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
!
!
!
!
event manager applet 1619495654227storeShowTech
event none sync no maxrun 31536000
action 001 cli command "enable"
action 002 cli command "traceroute google.com"
action 003 file open TECHFILE bootflash:1619495654227sh_tech.txt w+
action 004 file puts TECHFILE "$_cli_result"
action 005 file close TECHFILE
!
end

yes, if I go 192.168.11.3:1000 from browser, I see my web server page.

hello again.

tried this and left my office without internet

if I remove ACL from 0/0 port, I end up offline.

I also tried to apply different ACL for 0/0 (wan) inbound traffic, allowing literally everything (see screenshot), but still no luck.

maybe I should make up some ACL for logical interface instead of physical 0/0 ?

Hello
Sorry to hear this however based on the configuration you previously supplied, removing those access lists from the physical interface gig0/0 of your router and applying a deny ace statement to the nat acl shouldn’t have stopped internet access for the office.

Can you confirm in a file the current running configuration of your router

Sure, here it is.

Please note, that outside NAT interface is set for logical interface Dialer1, while the only ACL rule applied to phisical GigabitEthernet0/0/0. If I remove the rule from 0/0/0 or move it to Dialer1 for example (I've tried), I end up with no internet.

and I've also tried telnet 192.168.11.3 80 or 1000, it says the port is open, while telnet (external ip) 80 says the port is closed.

Wed May 05 2021 13:47:13 GMT+0500 (GMT+05:00)
===================================================================================
#show running-config
Building configuration...
Current configuration : 8208 bytes
!
! Last configuration change at 08:50:35 UTC Wed May 5 2021 by admin
!
version 17.2
service config
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
!
hostname ISR4331
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
logging console emergencies
enable secret 9 $9$bFGeXeOWIV7CFk$xf1pg/6wu50iZKLlgJvTBcYdUw8a.WB29z4nk/RSKXk
enable password *******
!
no aaa new-model
!
ip name-server 109.194.160.1 5.3.3.3
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-108830138
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-108830138
revocation-check none
rsakeypair TP-self-signed-108830138
!
crypto pki trustpoint SLA-TrustPoint
enrollment pkcs12
revocation-check crl
!
!
crypto pki certificate chain TP-self-signed-108830138
certificate self-signed 01
3082032E 30820216 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31303838 33303133 38301E17 0D323130 34323430 38343532
325A170D 33303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3130 38383330
31333830 82012230 0D06092A 864886F7 0D010101 05000382 010F0030 82010A02
82010100 D04A7999 B48B9258 AC62F1A9 09F76D80 1D814995 95407409 A1AE6206
48F60B35 DC395055 02728A71 2EE6C831 7C38FEAA D799F9D3 6D9C35F7 0DBB3E03
7BA21E00 D1E5B86F A531821B C7585195 58A45D6A D9F9682C CAF78255 1459399C
BF95A684 FE5BE6B0 CDCA697E 4D1BB350 B834B474 1DA3EE4C 8D585CF4 DFADADA5
CF54F8E4 0697BE74 4FCAF5C7 21A9F648 FAB20287 9F68C1CA 82DA43C4 95AE32BA
82FA19D6 EA1B1134 67E85309 8A6A7815 68FC4250 D30F66AC 5B44A6FE 97F3D666
565D824A 7F917638 BD82D5CC BAC6F35A 20FED268 F7CA6975 6755D4B6 4FB5EFA2
C1B40999 D5242A81 D8C960B5 ADE4E56E 7A56AF48 82E73563 5AF19CEF DEE42602
B1E92D65 02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F
0603551D 23041830 168014E3 98F89741 56AD0441 3A453892 6946CA6E EEBE6830
1D060355 1D0E0416 0414E398 F8974156 AD04413A 45389269 46CA6EEE BE68300D
06092A86 4886F70D 01010505 00038201 01008AEB 491CFCA8 AB8ACE5A 8CC4B011
CA23DAF4 F1EA7E63 4B6BBE07 35B56019 9E4262D1 A43126C5 BE10DCEB B6C989C9
43F0906A BE76F1A3 7D812B33 86A6C755 3747730B 36D9E18B F4029082 25EB43D3
B1EDCC93 3C6E9239 D726A907 C613BEAB 51E2D9CA A5AFB99B 89B97BC8 5B6073E9
688BF6E9 8CBAED64 0BCE15A5 BA3B077B 98B906E5 94CF9450 141027D7 E4001CA8
5E6AF3D0 FE337FC8 45C5CA63 E5EEBEEA 500CFDC1 DD7F1EA3 877B5E8F 608B1DC9
A98DD5BC C2090A82 0B845EA3 D3A91CEC 5A8CDC97 798C0F5A FC7D224B 75C2C3A6
1A2303D6 71D8D2F8 3747B5BA 2F823BAE CD72A929 EE1DBD05 25A21A06 688D671F
46EE538E 08EC64F4 01374A4A A4534E6E 5A69
quit
crypto pki certificate chain SLA-TrustPoint
certificate ca 01
30820321 30820209 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030
32310E30 0C060355 040A1305 43697363 6F312030 1E060355 04031317 43697363
6F204C69 63656E73 696E6720 526F6F74 20434130 1E170D31 33303533 30313934
3834375A 170D3338 30353330 31393438 34375A30 32310E30 0C060355 040A1305
43697363 6F312030 1E060355 04031317 43697363 6F204C69 63656E73 696E6720
526F6F74 20434130 82012230 0D06092A 864886F7 0D010101 05000382 010F0030
82010A02 82010100 A6BCBD96 131E05F7 145EA72C 2CD686E6 17222EA1 F1EFF64D
CBB4C798 212AA147 C655D8D7 9471380D 8711441E 1AAF071A 9CAE6388 8A38E520
1C394D78 462EF239 C659F715 B98C0A59 5BBB5CBD 0CFEBEA3 700A8BF7 D8F256EE
4AA4E80D DB6FD1C9 60B1FD18 FFC69C96 6FA68957 A2617DE7 104FDC5F EA2956AC
7390A3EB 2B5436AD C847A2C5 DAB553EB 69A9A535 58E9F3E3 C0BD23CF 58BD7188
68E69491 20F320E7 948E71D7 AE3BCC84 F10684C7 4BC8E00F 539BA42B 42C68BB7
C7479096 B4CB2D62 EA2F505D C7B062A4 6811D95B E8250FC4 5D5D5FB8 8F27D191
C55F0D76 61F9A4CD 3D992327 A8BB03BD 4E6D7069 7CBADF8B DF5F4368 95135E44
DFC7C6CF 04DD7FD1 02030100 01A34230 40300E06 03551D0F 0101FF04 04030201
06300F06 03551D13 0101FF04 05300301 01FF301D 0603551D 0E041604 1449DC85
4B3D31E5 1B3E6A17 606AF333 3D3B4C73 E8300D06 092A8648 86F70D01 010B0500
03820101 00507F24 D3932A66 86025D9F E838AE5C 6D4DF6B0 49631C78 240DA905
604EDCDE FF4FED2B 77FC460E CD636FDB DD44681E 3A5673AB 9093D3B1 6C9E3D8B
D98987BF E40CBD9E 1AECA0C2 2189BB5C 8FA85686 CD98B646 5575B146 8DFC66A8
467A3DF4 4D565700 6ADF0F0D CF835015 3C04FF7C 21E878AC 11BA9CD2 55A9232C
7CA7B7E6 C1AF74F6 152E99B7 B1FCF9BB E973DE7F 5BDDEB86 C71E3B49 1765308B
5FB0DA06 B92AFE7F 494E8A9E 07B85737 F3A58BE1 1A48A229 C37C1E69 39F08678
80DDCD16 D6BACECA EEBC7CF9 8428787B 35202CDC 60E4616A B623CDBD 230E3AFB
418616A9 4093E049 4D10AB75 27E86F73 932E35B5 8862FDAE 0275156F 719BB2F0
D697DF7F 28
quit
!
crypto pki certificate pool
cabundle nvram:ios_core.p7b
!
!
license udi pid ISR4331/K9 sn FDO24370Y1Q
memory free low-watermark processor 67926
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
username admin privilege 15 password 0 ********
!
redundancy
mode none
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0/0
description wan
no ip address
ip mtu 1452
ip access-group nACL in
ip access-group nACL out
ip tcp adjust-mss 1412
negotiation auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface GigabitEthernet0/0/1
ip dhcp client client-id ascii JTV2443B057
ip address 192.168.11.5 255.255.255.0
ip nat inside
negotiation auto
!
interface GigabitEthernet0/0/2
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
interface Dialer1
ip address 92.255.***** 255.255.255.0
ip mtu 1452
ip nat outside
encapsulation ppp
ip tcp adjust-mss 1412
dialer pool 1
dialer idle-timeout 0
dialer persistent
dialer-group 1
ppp mtu adaptive
ppp authentication chap pap callin
ppp chap hostname v1830552
ppp chap password 0 *****
ppp pap sent-username v1830552 password 0 *******
ppp ipcp dns request
!
ip forward-protocol nd
ip http server
ip http port 10500
ip http authentication local
ip http secure-server
ip http secure-port 11000
ip http client source-interface GigabitEthernet0/0/1
ip nat pool real-hosts 192.168.11.1 192.168.11.255 prefix-length 24 type rotary
ip nat inside source static tcp 192.168.11.3 80 92.255.*****80 extendable
ip nat inside source static udp 192.168.11.3 500 92.255.**** 500 extendable
ip nat inside source static tcp 192.168.11.3 1723 92.255.**** 1723 extendable
ip nat inside source list 1 interface Dialer1 overload
ip nat inside destination list 2 pool real-hosts
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
ip access-list extended nACL
10 permit tcp 192.168.11.0 0.0.0.255 any
20 permit udp 192.168.11.0 0.0.0.255 any
30 permit tcp host 92.255.**** eq www 192.168.11.0 0.0.0.255 eq www
ip access-list extended test
10 permit tcp host 92.255.**** 192.168.11.0 0.0.0.255
!
ip access-list standard 1
10 permit 192.168.11.0 0.0.0.255
ip access-list standard 2
ip access-list extended 197
dialer-list 1 protocol ip permit
!
!
route-map track-primary-if permit 1
match ip address 197
set interface Dialer1
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password ******2
login
length 0
transport input ssh
!
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
!
!
!
!
event manager applet 1619495654227storeShowTech
event none sync no maxrun 31536000
action 001 cli command "enable"
action 002 cli command "traceroute google.com"
action 003 file open TECHFILE bootflash:1619495654227sh_tech.txt w+
action 004 file puts TECHFILE "$_cli_result"
action 005 file close TECHFILE
!
end

Hello

---

@DmitryMitreikin74594 wrote:

interface Dialer1
ip address 92.255.***** 255.255.255.0

ive tried without luck:

ip nat inside source static tcp 192.168.11.3 1000 92.255.###.### 80 extendable

ip nat inside source static tcp 192.168.11.3 80 92.255.*****80 extendable

ip access-list standard 1
10 permit 192.168.11.0 0.0.0.255

---

So first of all, the public ip address you are using for the static nat, Can you confirm if its the same ip address of the dialer ip address or is it a spare ip from your public assigned ip range?

Can you try the following:
no ip nat inside source static tcp 192.168.11.3 80 92.255.*****80 extendable
ip nat inside source static tcp 192.168.11.3 1000 interface Dialer1 80

ip access-list standard 1
5 deny host 192.168.11.3

Yes, my public IP is given me by ISP and is static, and I've written it down on Dialer1 settings.

I have replaced NAT record that you told me, and added line on ACL (with only a slight change, as my applied ACL rule is called nACL, not 1).

the same, telnet says timeout.

Hello

---

@DmitryMitreikin74594 wrote:

I have replaced NAT record that you told me, and added line on ACL (with only a slight change, as my applied ACL rule is called nACL, not 1).

You need to apply that ace statement on the NAT ACL which is ip access-list standard 1 and not on those interface access-lists

Also those interface access-lists are incorrect and you have NAT load balancing statments, addtional access-lists and route-maps not doing anything!

Suggest the following:

interface GigabitEthernet0/0/0
no ip access-group nACL in
no ip access-group nACL out

no ip nat pool real-hosts 192.168.11.1 192.168.11.255 prefix-length 24 type rotary
no ip nat inside destination list 2 pool real-hosts

no ip access-list standard 2
no ip access-list extended 197
no ip access-list extended test

ip access-list standard 1
5 deny host 192.168.11.3